IETF Logo Mail Archive

Re: [DNSOP] draft-fujiwara-dnsop-avoid-fragmentation-00

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 10 July 2019 19:13 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20179120143 for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2019 12:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0vcSNMdxAi1 for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2019 12:13:23 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3066812006B for <dnsop@ietf.org>; Wed, 10 Jul 2019 12:13:23 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id m23so2261643vso.1 for <dnsop@ietf.org>; Wed, 10 Jul 2019 12:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ti+j9Athm2VbRotRNNyChsniMQOI+1F55/G3Wnpqv10=; b=S0wpYArAkqR+L1gtOY5rJbrZyXc0RGhMFSsCvhgh6MOTAjL1w+KCIoiEYCbEdOA4V6 zkO3aGvUvKTyrObYyix+uZ/D2783wA18ptcPhTuQbMZnh/OiEWFBOCCEgmivT3+T6v9p cTJ3+QhV9lhZoV4JkOfTmPoqgDH42N83UxP9UZ4XwTiCJuvMtw1Z3M0I9O7FUlB160d+ IL5dZcALWEsHgZOUvX2TMfgWI2B/010rbYMNFkiewEpGzPVteTy/8DomdBPzkH5kL+8V 3O94//4o+7bDZ2jIfGzXZqllwWDk3xvS60BtYB0VvBFqs4QTmfx9tKbkgNmkeMS/cU9j zhTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ti+j9Athm2VbRotRNNyChsniMQOI+1F55/G3Wnpqv10=; b=Uj2c7ZSksb+aahkO1RhMfsJa2JZld2qQJmtZmh3ImU2I+I6JOvRWKXqtqUn3OCrKic hk2XCi1AV+ascc6rgP2F37Z16nTptnTvfH1Jk4wEZobXeQTsddUf2j4SjxoDyoR7H3El km4WYX5GGVynmxYRHTU0t+lkeD+hA8RkcFGxQgXzC1A/fdmS2eno/bNrM7VHOyRkf99c 8TEe6jOdqzbd8xx7b4TbzgtGmSwU1BWvGwyXLxSYZrBnn5fDSsJgnXF3hJHHfkJelAbi NOmUwx4k8vSLvBLP3qBBC79tPxwO1XaZHgNcN6wsu2SS6sDuv44kKI46rCbKP83Q6kef /ySA==
X-Gm-Message-State: APjAAAUmMvxLRHyvDLI4KoUt4clGF1zqkdwzS/CQlnM04nyVpTMGsx3V 50EjvPhKItfGATafm6yUOO0wb2kGFpeiIkGEihE2E6t8
X-Google-Smtp-Source: APXvYqwy20QYUucpnp8dbIlO0lHUCUxk0SZZe45vjC48e5g689up0PfGhCQdSWOBMSE6E5dsnZti8b0bosYP5PAtwHU=
X-Received: by 2002:a67:e9c3:: with SMTP id q3mr7268221vso.5.1562786002124; Wed, 10 Jul 2019 12:13:22 -0700 (PDT)
MIME-Version: 1.0
References: <20190705.180133.1983186017707424360.fujiwara@jprs.co.jp>
In-Reply-To: <20190705.180133.1983186017707424360.fujiwara@jprs.co.jp>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 10 Jul 2019 12:13:10 -0700
Message-ID: <CAH1iCioi8pA1W=q4VVSp7cZ3M7f1QRBRWot-DQcbx_7o2w6AAw@mail.gmail.com>
To: fujiwara@jprs.co.jp
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008444d8058d587889"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JbJih_4hIXOEwxLJGskRFja2XLQ>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-avoid-fragmentation-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 19:13:25 -0000

Sorry for the late message, but I support both the intent and the draft.

One question:
Would it be feasible for recommending that full service resolvers check for
EDNS0 bufsize compliance, and treat violations as if they were TC=1?
E.g. Suppose I am a resolver, and send my query to an authority server with
bufsize=1220 (per the draft). If I get a response that exceeds that size, I
unilaterally modify the response to set the TC bit, which triggers retry
over UDP, without looking at any of the response data.

If it makes sense, it probably should be added to the above draft rather
than being standalone.

I think this suggestion is a very minor hack, and I can't see any real
downside to it.

The bufsize adherence is mandatory. If bufsize was <= MTU, for sure
fragmentation occurring would require bufsize violation.
(The reverse is not automatic; if MTU <= actual < bufsize, fragmentation
might not have occurred, even though the requested bufsize was not honored.)
This adds protection against the one corner case that the original ID isn't
able to fix.

The upside of this suggestion is, the party at risk (resolver and
resolver's clients) is the same party that needs to apply the fix, i.e. it
is symmetric in nature.

Obviously, authority servers that do not honor bufsize still need to fix
their implementations, but at least this allows impacted resolvers to
unilaterally protect themselves (exactly analogous to setting bufsize <=
MTU in the first place).

Brian

On Fri, Jul 5, 2019 at 2:02 AM <fujiwara@jprs.co.jp> wrote:

> Dear DNSOP,
>
> I submitted draft-fujiwara-dnsop-avoid-fragmentation-00.
>
>   https://tools.ietf.org/html/draft-fujiwara-dnsop-avoid-fragmentation-00
>
> It proposes avoid IP fragmentation operation in DNS.
>
> I removed details of attack to path MTU discovery and cache poisoning
> attacks using IP fragmentation from
> draft-fujiwara-dnsop-fragmentation-attack01, and changed as
> recommendations.
>
> Details of attacks are written in slides at OARC 30.
>
> https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf
>
>
> If the draft is interested, I will request timeslot at IETF 105.
>
> I think it is time to consider to avoid IP Fragmentation in DNS.
> It is possible to avoid IP fragmentation as much as possible.
>
> It is not good that DNS is the biggest user of IP fragmentation.
>
> Regards,
>
> --
> Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
>
>
>
> A new version of I-D, draft-fujiwara-dnsop-avoid-fragmentation-00.txt
> has been successfully submitted by Kazunori Fujiwara and posted to the
> IETF repository.
>
> Name:           draft-fujiwara-dnsop-avoid-fragmentation
> Revision:       00
> Title:          Avoid IP fragmentation in DNS
> Document date:  2019-07-04
> Group:          Individual Submission
> Pages:          5
> URL:
> https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-avoid-fragmentation-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-avoid-fragmentation/
> Htmlized:
> https://tools.ietf.org/html/draft-fujiwara-dnsop-avoid-fragmentation-00
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-avoid-fragmentation
>
>
> Abstract:
>    Path MTU discovery is vulnerable and IP fragmentation may cause
>    protocol weakness.  Currently, DNS is said to be the biggest user of
>    IP fragmentation.  However, it is possible to avoid IP fragmentation
>    in DNS because TCP transport and truncation work well.  This document
>    proposes to avoid IP fragmentation in DNS.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email